Multiparty Homomorphic Encryption for IoV Based on Span Program and Conjugate Search Problem

Abstract

With the rapid development of the automotive industry, research on the internet of vehicles (IoV) has become a hot topic in the field of automobiles. Considering the privacy of data collected from vehicles, this paper proposes a novel multiparty homomorphic encryption scheme (MHE) for secure multiparty computation without the need for a trusted third party. The scheme ensures efficient computation of data while preserving the privacy of each party’s data. It consists of four phases: construction, computation, recombination, and refreshing. In the recombination phase, the key is reconstructed using a span program, enabling secure computation among participating parties under a semi-honest model. Finally, we compare the proposed scheme with mainstream approaches and conduct experiments within the framework of federated learning. Through both experimental and theoretical analyses, the performance of the proposed scheme is comprehensively evaluated, demonstrating its efficiency and correctness.

1. Introduction

Underpinned by the new generation of information and communication technologies, such as cloud computing, big data, and artificial intelligence, the internet of vehicles (IoV) comprises vehicles, roadside units, cloud servers, and other devices. The IoV enables intelligent traffic management, dynamic information services, and vehicle automation through multidimensional interactions among vehicles, individuals, and roadside environments [1,2,3]. The IoV enhances the safety and comfort of daily commuting. Data sharing and utilization within IoV scenarios are pivotal for enhancing vehicular services. The voluminous amount of data interchangeably shared among vehicles, road infrastructure, and cloud systems is intricately intertwined with people’s daily lives. Given the open operational landscape of the internet of vehicles (IoV), transmitted information is susceptible to various forms of attacks, including interception, forgery, eavesdropping, and tampering by malicious entities. These data encompass a significant quantity of sensitive information, and their compromise could result in direct adverse consequences for users [4,5,6]. Given the escalating number of vehicles and the expansion of national road networks within the IoV, alongside the increasing participation of collaborative computing devices, ensuring the security and integrity of data transmission during efficient data sharing has emerged as a paramount research concern [7,8]. The architectural depiction of the IoV is illustrated in Figure 1.

Secure multiparty computation (MPC) is a computational model designed to safeguard the privacy and data security of multiple participants engaged in collaborative computations. It enables a set of parties to interact and compute joint functions of their private inputs, revealing only the output [9]. Data resources have become a critical competitive advantage across various industries, and the same holds true for the internet of vehicles domain. However, due to the lack of uniformity between data owners and users, issues such as data security and personal privacy are increasingly exacerbated. Secure multiparty computation (MPC) technology can simultaneously ensure the privacy of data inputs and the correctness of data computations. Furthermore, it can guarantee, through protocols, that the input data of participating parties in computations remains undisclosed even in the absence of a third party [10,11]. Multiparty homomorphic encryption (MHE) is a category of solutions within the realm of secure multiparty computation (MPC). It extends traditional single-party homomorphic encryption schemes to multiple participants. Existing generations of MHE schemes have evolved from traditional homomorphic encryption schemes through expansion and refinement. With the emergence of the latest generation of MHE schemes based on the Learning with Errors (LWE) framework [12], various variants of this approach have subsequently proliferated. In order to further enhance the efficiency of MHE schemes and reduce communication overhead, threshold access structures have been applied in this approach [13,14,15]. Researchers have applied MHE schemes in federated learning [16] to safeguard sensitive data [17,18]. The MPC constructed by MHE is primarily divided into two stages, comprising a one-time setup phase and a subsequent phase capable of executing an arbitrary number of functional evaluations post-setup completion [19]. During the setup phase, all parties jointly execute specialized multiparty protocols to generate public keys suitable for homomorphic operations. These keys are then distributed to each party through secure channels along with their respective secret keys. During the functional evaluation phase, parties first encrypt their respective data using the public keys, generating ciphertexts. Subsequently, computations are performed on these ciphertexts leveraging the properties of homomorphic operations. Finally, through multiparty protocols, parties collaboratively recover the private keys from the distributed secret keys and use them to decrypt the ciphertexts. Our proposed multiparty homomorphic encryption scheme is capable of completing both the one-time setup phase and the functional evaluation phase. Moreover, regarding the issue of private key exposure after ciphertext decryption, we address this by refreshing the public–private keys through multiparty protocols, enabling successive rounds of the functional evaluation phase without the need for reinitialization.

In the internet of vehicles (IoV), the use of secure multiparty computation (MPC) technology enables the secure sharing and computation of data among IoV terminal devices. Considering the challenges posed by low transmission efficiency and poor network quality in the open application scenarios of IoV, our proposed solution boasts high efficiency and low communication overhead, thus alleviating such issues. The conceptual diagram of secure multiparty computation in the internet of vehicles is illustrated in Figure 2.

Our Contributions

In recent years, our work has primarily focused on the processing of privacy data in the IoV [20] and its application in federated learning [21]. In our previous work on emergency vehicle identification based on federated learning and homomorphic encryption, we relied on a trusted third party for key distribution. This study addresses this issue by modifying the homomorphic encryption scheme. By integrating the homomorphic encryption scheme with the span program without the involvement of a third party, privacy protection and efficient computation among multiple vehicles are achieved. The main contributions are as follows:

• This paper presents an asymmetric homomorphic encryption algorithm based on the conjugate search problem and the discrete logarithm problem. Building upon this scheme, a novel multiparty homomorphic encryption scheme is constructed, consisting of four phases: construction, computation, recombination, and refreshing. This scheme enables secure computation among multiple vehicles without the need for a trusted third party, ensuring that privacy inputs are not disclosed. Moreover, the homomorphic properties of the encryption scheme allow ciphertext operations to satisfy both addition and multiplication.
• In the semi-honest model, the utilization of the span program for the private key partitioning in the multiparty homomorphic encryption scheme ensures that only the authorized coalition of vehicles can jointly reconstruct the private key. This measure prevents excessive centralization of the key, thereby achieving risk diversification and intrusion tolerance objectives, and consequently thwarting unauthorized access. This approach reduces potential security risks, safeguards the integrity and privacy of the vehicular network, and alleviates communication pressure within the IoV.
• We conducted comparative experiments of our proposed scheme within the architecture of the IoV against mainstream solutions, revealing significant advantages in terms of communication overhead and computational costs. Additionally, we applied our scheme in federated learning [22] in the IoV. Addressing the data leakage issue inherent in gradients in federated learning [23], we encrypted the gradients during transmission using our scheme, thus preventing gradient leakage while achieving correct aggregation of gradients from multiple vehicles [24]. Theoretical analyses and experimental evaluations collectively demonstrate the effectiveness of our proposed solution.

Organization: The remaining content of this paper is structured as follows. Section 2 introduces the basic concepts required for asymmetric encryption schemes and other related definitions. Section 3 provides a comprehensive overview of the proposed multiparty, fully homomorphic encryption scheme and conducts a security analysis of the scheme. In Section 4, a comparison of existing schemes is presented from both theoretical and experimental perspectives, along with a performance evaluation in federated learning experiments. Finally, Section 5 concludes the paper.

2. Preliminaries

This section will introduce the fundamental concepts and basic definitions required for asymmetric encryption schemes. Firstly, we will present the basic definition of the computational search problem (CSP) [25], which, due to its noise-free operations and post-quantum security, holds significance in post-quantum cryptography [26]. Next, we will elaborate on the discrete logarithm problem (DLP), a crucial concept in number theory and cryptography [27]. Subsequently, we will define the adversary model within the system. Finally, we will describe the correctness and security proofs of asymmetric encryption algorithms based on the CSP and DLP, as well as the span program.

2.1. Basic Definitions

Definition 1. 

(Conjugate search problem—CSP): Given a non-Abelian group   $G$, and $a \in G$, $b\in G$, $k\in G$, where $b=ka{k}^{-1}$, $k$ is an unknown element, and $b$ is a conjugate of $a$ with respect to $k$, it is difficult to find $k$ when $a$ and $b$ are known. The conjugate search problem (CSP) is a problem in group theory. Let $CSPGen$ be a polynomial time algorithm with input security parameter $\mathcal{K}$ and output a non-Abelian group $G$ of order $q\left(\right|q|=\mathcal{K})$. If the conjugate search problem of $CSPGen$ is hard, then for all probability polynomial time (PPT) adversaries $\mathcal{A}$, the following formula is negligible:

$$\mathit{Pr}\left[\left(G\right)\leftarrow CSPGen\left(\mathcal{K}\right);\left(a,b,k\right)\leftarrow {}_{R}G;k\leftarrow \mathcal{A}\left(G,a,b\right) s.t. b=ka{k}^{-1}\right]$$

(1)

If the elements in $G$ are matrices, the security can only be guaranteed by a square matrix of more than 4 orders [28].

Next, we proceed to establish a non-Abelian group in the encryption scheme, utilizing 6th-order matrices as elements. Its form is as follows:

$$\left[\begin{array}{ccc}E& R_1& R_2\\ O& R_3& R_4\\ O& O& R_5\end{array}\right]$$

(2)

In Formula $\left(2\right)$, the symbols ${E, R}_i$, and $O$ represent 2nd-order matrices.

Definition 2. 

(Discrete logarithm problem—DLP): Given a group $\mathbb{G}$, where $g$ is a generator of the group and $h$ is a random element in the group, computing ${log}_g^h$ is difficult. Let $DLPGen$ be a polynomial time algorithm with input security parameter $\mathcal{K}$ and output a cyclic $\mathbb{G}\left(\right|q|=\mathcal{K})$ of order $q\left(\right|q|=\mathcal{K})$ along with one of its generators $g\in \mathbb{G}$. If the discrete logarithm problem of $DLPGen$ is hard, then for all probability polynomial time (PPT) adversaries $\mathcal{A}$, the following formula is negligible:

$$Pr\left[\left(\mathbb{G},g\right)\leftarrow DLPGen\left(\mathcal{K}\right);u\leftarrow {}_R\mathbb{G};x\leftarrow \mathcal{A}\left(\mathbb{G},g,h\right) s.t. g^x=u\right]$$

(3)

Definition 3. 

(Decisional Diffie–Hellman assumption—DDH assumption): Let $\mathbb{G}$ be a group of prime order $q$, where $g$ is a generator of $\mathbb{G}$, and $x,y,z\leftarrow {}_R{\mathbb{Z}}_p$. For the following two distributions, the quadruple $D=(g,g^x,g^y,g^{xy})$ and the random quadruple $R=(g,g^x,g^y,g^z)$ are computationally indistinguishable, termed as the DDH assumption. That is, for any probabilistic polynomial time (PPT) adversary $\mathcal{A}$, the advantage of adversary $\mathcal{A}$ in distinguishing quadruple $D$ from random quadruple $R$, defined as ${Adv}_{\mathcal{A}}^{DDH}\left(\mathcal{K}\right)=|\mathit{Pr}\left[\mathcal{A}\left(R\right)=1\right]-Pr[\mathcal{A}\left(D\right)=1\left]\right|$, is negligible.

Definition 4. 

(Indistinguishability under the chosen plaintext attack game—IND-CPA game): The formal description of the indistinguishability game under chosen plaintext attack in a public-key encryption scheme is as follows, where the triplet representing the encryption scheme is $\mathcal{T}=(KeyGen,Enc,Dec)$ and $\mathcal{K}$ denotes the security parameter:

$$\begin{gathered} {Exp}_{\mathcal{T},\mathcal{A}}^{CPA}\left(\mathcal{K}\right):\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} \\ \left(pk,sk\right)\leftarrow \mathcal{T}.KeyGen\left(\mathcal{K}\right); \\ \left(M_0,M_1\right)\leftarrow \mathcal{A}\left(·\right),where \left|M_0\right|=\left|M_1\right|; \\ \beta {\leftarrow }_R\left\{\mathrm{0,1}\right\},C^{*}=\mathcal{T}.Enc\left(M_{\beta }\right); \\ {\beta }^{\prime }\leftarrow \mathcal{A}(pk,C^{*}) \\ if {\beta }^{\prime }=\beta ,return 1,otherwise return 0. \end{gathered}$$

(4)

For a PPT adversary $\mathcal{A}$, random guessing of $\beta$ also has a probability of winning of $1/2$. Therefore, the advantage of breaking the semantic security of the encryption scheme by using the chosen plaintext attack is defined as:

$${\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathcal{T},\mathcal{A}}^{CPA}\left(\mathcal{K}\right)=\left|\mathrm{Pr}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathcal{T},\mathcal{A}}^{CPA}=1\right]-{\displaystyle \frac{1}{2}}\right|$$

(5)

Definition 5. 

(IND-CPA security): For any PPT adversary $\mathcal{A}$, there exists a negligible function with parameter $\mathcal{K}$, denoted as $ϵ\left(\mathcal{K}\right)$, such that the advantage ${Adv}_{\mathcal{T},\mathcal{A}}^{CPA}\left(\mathcal{K}\right)\le ϵ\left(\mathcal{K}\right)$. Then, the encryption algorithm $\mathcal{T}$ is considered IND-CPA-secure, meaning it is indistinguishable under the chosen plaintext attack.

Definition 6. 

(The semi-honest model): The semi-honest model (also known as the “honest but curious” model or passive attack model) is an important theoretical framework for evaluating and constructing cryptographic security protocols. This model assumes that all parties involved in the protocol will strictly follow the steps stipulated in the plan to carry out a series of operations, but the participants may attempt to obtain additional data through computational reasoning during the execution process.

To determine whether the scheme conforms to the security under the semi-honest model, the ideal/real model in cryptography is usually adopted for its formal analysis. The ideal/real model is a security analysis method based on simulation. In an ideal world, there exists a simulator that can generate a view indistinguishable from the execution of real protocols merely based on the input and output of legitimate participants. In other words, any information that can be obtained by observing the execution of the protocol should also be able to be derived from the corresponding input–output pairs. If such a simulation cannot be achieved, it indicates that the protocol may have leaked information.

Definition 7. 

(Simulation-based security in ideal/real models): Suppose there are participants $P_1,\dots {,P}_n$ in the scheme $\Pi$. For the participant $P_i$, their input in the scheme is $x_i$, all the information collected in the scheme is $M_i$, and their final output is $y_i$. Then, the view of the participant is expressed as ${view}_i=\{x_i,M_i,y_i\}$. Let the set $L\subset \{P_1,\dots {,P}_n\}$ represent any non-empty subset of the participant, then the view of the real world is defined as ${view}_L^{\Pi }\subset \{{view}_1,\dots ,{view}_n\}$. The security is defined as follows: In an ideal world, there exists a simulator $S$ such that it holds the following equation for any set $L$: ${S(L,\{x_i,y_i:\forall P_i\in L\left\}\right){}^c\equiv view}_L^{\Pi }$. Then, the scheme satisfies the simulation-based security under the semi-honest model. ${}^c\equiv$ indicates that it is computationally indistinguishable.

2.2. Asymmetric Homomorphic Encryption Algorithm Based on CSP and DLP

We propose an asymmetric encryption algorithm based on the CSP and DLP, following the comprehension of Definitions 1 and 2. This algorithm serves as the foundation for multiparty fully homomorphic encryption schemes.

Initialization: Setting the security parameter as $\mathcal{K}$, we invoke $\mathrm{C}\mathrm{S}\mathrm{P}\mathrm{G}\mathrm{e}\mathrm{n}\left(\mathcal{K}\right)$ and $\mathrm{D}\mathrm{L}\mathrm{P}\mathrm{G}\mathrm{e}\mathrm{n}\left(\mathcal{K}\right)$ to generate $G$ and $\mathbb{G}$, respectively. $G$ is constructed by extracting elements over the field ${\mathbb{Z}}_p\left(\right|p|=\mathcal{K})$ to form a 6th-order matrix group. The order of $G$ is $q\left(\right|q|=\mathcal{K})$, and $\mathbb{G}$ is a cyclic group of order $q$ with the generator $g$.

Generating the public–private key pair  $(\mathit{c}\mathit{s}\mathit{p}\mathit{d}\mathit{l}\mathit{p}.\mathit{K}\mathit{e}\mathit{y}\mathit{p}\mathit{a}\mathit{i}\mathit{r}\mathit{G}\mathit{e}\mathit{n}\left(\mathit{G},\mathbb{G},\mathit{g}\right))$: Firstly, we extract $l$ elements $e_1,e_2,\dots ,e_l$ from the group $\mathbb{G}$. Secondly, each $e_i$ is divided into four parts of random values, $e_i=a_{1i}+a_{2i}+a_{3i}+a_{4i}$, and constructed into a matrix $E_i$, where $R_i$ is a 2nd-order matrix composed of random values:

$$E_i^{\prime }=\left[\begin{array}{cc}{a}_{1i}& a_{2i}\\ a_{3i}& a_{4i}\end{array}\right]$$

(6)

$$E_i=\left[\begin{array}{ccc}{E}_i^{\prime }& R_{1i}& R_{2i}\\ O& R_{3i}& R_{4i}\\ O& O& R_{5i}\end{array}\right]$$

(7)

Randomly selecting a matrix $H$ from $G$, we generate ${\varsigma }_1=H{E}_1{H}^{-1},\dots ,{\varsigma }_l=H{E}_l{H}^{-1}$. The public key consists of two parts: $e_1,\dots ,e_l$ and ${\varsigma }_1,\dots ,{\varsigma }_l$, while the private key is represented by the matrix $H$, and the matrix $H$ is an invertible matrix.

Public key encryption $(\mathit{c}\mathit{s}\mathit{p}\mathit{d}\mathit{l}\mathit{p}.\mathit{E}\mathit{n}\mathit{c}\left(\mathit{p}\mathit{k},\mathit{m}\right))$: Firstly, for the plaintext $m$, it is split into a combination of $l$ public values, i.e., $m=k_1{e}_1^{r_1}+\cdots +k_l{e}_l^{r_l}$, where $r_i$ and $k_i$ are random values.

The ciphertext corresponding to the plaintext $C=$ $k_1{\varsigma }_1^{r_1}+\cdots +k_l{\varsigma }_l^{r_l}$ can be expanded as:

$$\begin{gathered} C=k_1(H{E}_1{H}^{-1}{)}^{r_1}+\cdots +k_l(H{E}_l{H}^{-1}{)}^{r_l} \\ =H{k}_1{E}_1^{r_1}{H}^{-1}+\cdots +H{k}_l{E}_l^{r_l}{H}^{-1} \\ =H\left(k_1{E}_1^{r_1}+\cdots +k_l{E}_l^{r_l}\right)H^{-1} \\ =HM{H}^{-1} \\ =H\left[\begin{array}{ccc}{M}^{\prime }& R_1^{*}& R_2^{*}\\ O& R_3^{*}& R_4^{*}\\ O& O& R_5^{*}\end{array}\right]H^{-1} \end{gathered}$$

(8)

where $M^{\prime }=\left[\begin{array}{cc}{m}_1& m_2\\ m_3& m_4\end{array}\right]$, $R_i^{*}$ is a 2nd-order random matrix, $O$ is a 2nd-order zero matrix, and $m_1+m_2+m_3+m_4=m$.

Private key decryption $(\mathit{c}\mathit{s}\mathit{p}\mathit{d}\mathit{l}\mathit{p}.\mathit{D}\mathit{e}\mathit{c}\left(\mathit{s}\mathit{k},\mathit{C}\right))$: Performing the operation $M=H^{-1}CH$ on the ciphertext matrix $C$ yields the plaintext matrix $M$, as depicted in Formula $\left(8\right)$. The plaintext $m$ is then obtained as $m=M_{11}+M_{12}+M_{21}+M_{22}=m_1+m_2+m_3+m_4$.

The homomorphic properties of this algorithm are as follows:

(1)

Homomorphic addition: Let $C_1$ and $C_2$ be the ciphertexts corresponding to plaintexts $m_1$ and $m_2$, respectively:

$$\begin{gathered} { C}_{add}=C_1+C_2=H{M}_1{H}^{-1}+H{M}_2{H}^{-1} \\ =H\left[\begin{array}{ccc}{M}_1^{\prime }& R_{11}^{*}& R_{12}^{*}\\ O& R_{13}^{*}& R_{14}^{*}\\ O& O& R_{15}^{*}\end{array}\right]H^{-1}+H\left[\begin{array}{ccc}{M}_2^{\prime }& R_{21}^{*}& R_{22}^{*}\\ O& R_{23}^{*}& R_{24}^{*}\\ O& O& R_{25}^{*}\end{array}\right]H^{-1} \\ =H\left(\left[\begin{array}{ccc}{M}_1^{\prime }& R_{11}^{*}& R_{12}^{*}\\ O& R_{13}^{*}& R_{14}^{*}\\ O& O& R_{15}^{*}\end{array}\right]+\left[\begin{array}{ccc}{M}_2^{\prime }& R_{21}^{*}& R_{22}^{*}\\ O& R_{23}^{*}& R_{24}^{*}\\ O& O& R_{25}^{*}\end{array}\right]\right)H^{-1} \\ =H\left[\begin{array}{ccc}{M}_1^{\prime }+M_2^{\prime }& R_{11}^{*}+R_{21}^{*}& R_{12}^{*}+R_{22}^{*}\\ O& R_{13}^{*}+R_{23}^{*}& R_{14}^{*}+R_{24}^{*}\\ O& O& R_{15}^{*}+R_{25}^{*}\end{array}\right]H^{-1} \end{gathered}$$

(9)

where $M_1^{\prime }+M_2^{\prime }=\left[\begin{array}{cc}{m}_{11}+m_{21}& m_{12}+m_{22}\\ m_{13}+m_{23}& m_{14}+m_{24}\end{array}\right]$, and after decryption, $m_{11}+m_{21}+m_{12}+$$m_{22}$ + $m_{13}+m_{23}$ + $m_{14}+m_{24}={(m}_{11}+m_{12}$ + $m_{13}$ + $m_{14})$ + ($m_{21}$ + $m_{22}$ + $m_{23}$ + $m_{24}$) $=m_1$ + $m_2$. This result demonstrates that it satisfies homomorphic addition.

(2)

Homomorphic multiplication: Let $C_1$ and $C_2$ be the ciphertexts corresponding to plaintexts $m_1$ and $m_2$, respectively. During the multiplication operation, we require an auxiliary matrix $T$ to assist with the computation. In the considered encoding scheme, data point m is represented as a combination of four components. Therefore, the multiplication operation between 2 encrypted data points will generate a linear combination containing 16 items, where each item corresponds to the product between 2 components. In order to effectively construct this linear combination and ensure the correctness of the operation, an auxiliary matrix T is introduced to describe the composition structure of each term. This auxiliary matrix can be generated and provided by either party involved in the multiplication operation, thereby supporting the other party to efficiently complete the multiplication operation within the encryption domain:

$$T=H\left[\begin{array}{ccc}t& R_1& R_2\\ O& t& R_3\\ O& O& t\end{array}\right]H^{-1}$$

(10)

where $t=\left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right]$, and $R_i$ is a random 2nd-order matrix:

$$\begin{gathered} C_{mul}=C_1·C_2+C_1·T·C_2 \\ =H{M}_1{M}_2{H}^{-1}+H{M}_{1}T{M}_2{H}^{-1} \\ =H\left[\begin{array}{ccc}{M}_1^{\prime }& R_{11}^{*}& R_{12}^{*}\\ O& R_{13}^{*}& R_{14}^{*}\\ O& O& R_{15}^{*}\end{array}\right]\left[\begin{array}{ccc}{M}_2^{\prime }& R_{21}^{*}& R_{22}^{*}\\ O& R_{23}^{*}& R_{24}^{*}\\ O& O& R_{25}^{*}\end{array}\right]H^{-1} \\ +H\left[\begin{array}{ccc}{M}_1^{\prime }& R_{11}^{*}& R_{12}^{*}\\ O& R_{13}^{*}& R_{14}^{*}\\ O& O& R_{15}^{*}\end{array}\right]\left[\begin{array}{ccc}t{M}_2^{\prime }& R_{21}^{**}& R_{22}^{**}\\ O& {tR}_{23}^{*}& R_{24}^{**}\\ O& O& {tR}_{25}^{*}\end{array}\right]H^{-1} \\ =H\left[\begin{array}{ccc}{M}_1^{\prime }{M}_2^{\prime }+M_1^{\prime }t{M}_2^{\prime }& R_1^{*}& R_2^{*}\\ O& R_3^{*}& R_4^{*}\\ O& O& R_5^{*}\end{array}\right]H^{-1} \end{gathered}$$

(11)

After decrypting the ciphertext $C_{mul}$, we extract the plaintext matrix $M_{mul}=H^{-1}{C}_{mul} H$. Here, $M_{mul}$ is composed of $M_{mul}^{\prime }$, where $M_{mul}^{\prime }=M_1^{\prime }{M}_2^{\prime }+M_1^{\prime }t{M}_2^{\prime }$. Let $M_1^{\prime }=\left[\begin{array}{cc}{m}_{11}& m_{12}\\ m_{13}& m_{14}\end{array}\right]$ and $M_2^{\prime }=\left[\begin{array}{cc}{m}_{21}& m_{22}\\ m_{23}& m_{24}\end{array}\right]$, then:

$$\begin{gathered} { M}_{mul}^{\prime }=\left[\begin{array}{cc}{m}_{11}& m_{12}\\ m_{13}& m_{14}\end{array}\right]\left[\begin{array}{cc}{m}_{21}& m_{22}\\ m_{23}& m_{24}\end{array}\right]+\left[\begin{array}{cc}{m}_{11}& m_{12}\\ m_{13}& m_{14}\end{array}\right]\left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right]\left[\begin{array}{cc}{m}_{21}& m_{22}\\ m_{23}& m_{24}\end{array}\right] \\ =\left[\begin{array}{cc}{m}_{11}{m}_{21}+m_{12}{m}_{23}& m_{11}{m}_{22}+m_{12}{m}_{24}\\ m_{13}{m}_{21}+m_{14}{m}_{23}& m_{13}{m}_{22}+m_{14}{m}_{24}\end{array}\right] \\ +\left[\begin{array}{cc}{m}_{11}{m}_{23}+m_{12}{m}_{21}& m_{11}{m}_{24}+m_{12}{m}_{22}\\ m_{13}{m}_{23}+m_{14}{m}_{21}& m_{13}{m}_{24}+m_{14}{m}_{22}\end{array}\right] \\ =\left[\begin{array}{cc}{m}_{1,mul}& m_{2,mul}\\ m_{3,mul}& m_{4,mul}\end{array}\right] \end{gathered}$$

(12)

where, $m_{1,mul}+m_{2,mul}+m_{3,mul}+m_{4,mul}=m_{11}{m}_{21}+m_{11}{m}_{22}+m_{11}{m}_{23}+m_{11}{m}_{24}+$  $m_{12}{m}_{21}+m_{12}{m}_{22}+m_{12}{m}_{23}+m_{12}{m}_{24}+m_{13}{m}_{21}+m_{13}{m}_{22}+m_{13}{m}_{23}+m_{13}{m}_{24}+$  $m_{14}{m}_{21}+m_{14}{m}_{22}+m_{14}{m}_{23}+m_{14}{m}_{24}=\left(m_{11}+m_{12}+m_{13}+m_{14}\right)\times (m_{21}+m_{22}+$  $m_{23}+m_{24})=m_1\times m_2$. This result demonstrates that the algorithm satisfies homomorphic multiplication.

• Security Analysis

Theorem 1. 

Under the assumption of the discrete logarithm problem (DLP), the asymmetric homomorphic encryption algorithm based on the CSP and DLP is IND-CPA-secure.

Below is a game used to formalize the discussion of the attacker’s advantage:

$$\begin{gathered} {\mathrm{E}\mathrm{x}\mathrm{p}}_{cspdlp,\mathcal{A}}^{\mathrm{C}\mathrm{P}\mathrm{A}}\left(\mathcal{K}\right):\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} \\ \left(G\right)\leftarrow cspdlp.\mathrm{C}\mathrm{S}\mathrm{P}\mathrm{G}\mathrm{e}\mathrm{n}\left(\mathcal{K}\right); \\ \left(\mathbb{G},g\right)\leftarrow cspdlp.\mathrm{D}\mathrm{L}\mathrm{P}\mathrm{G}\mathrm{e}\mathrm{n}\left(\mathcal{K}\right); \\ \left(pk=\left\{e_1,\dots ,e_l;{\varsigma }_1,\dots ,{\varsigma }_l\right\},sk=\left\{H\right\}\right)\leftarrow cspdlp.KeypairGen(G,\mathbb{G},g); \\ \left(M_0,M_1\right)\leftarrow \mathcal{A}\left(pk\right),where \left|M_0\right|=\left|M_1\right|; \\ \beta {\leftarrow }_R\left\{\mathrm{0,1}\right\},C^{*}=cspdlp.Enc\left(M_{\beta }\right); \\ {\beta }^{\prime }\leftarrow \mathcal{A}(pk,C^{*}) \\ if {\beta }^{\prime }=\beta ,return 1,otherwise return 0. \end{gathered}$$

(13)

The adversary $\mathcal{A}$ possesses knowledge of the public key $pk$ and the ciphertext $C^{*}$, where $C^{*}=k_{1\beta }{\varsigma }_1^{r_{1\beta }}+\cdots +k_{l\beta }{\varsigma }_l^{r_{l\beta }}$. For a probabilistic polynomial time (PPT) adversary $\mathcal{A}$, the difficulty in decrypting the ciphertext lies in computing the exponents $r_{i\beta }$ in $k_{i\beta }{\varsigma }_i^{r_{i\beta }}$. Computing the exponents $r_{i\beta }$ in $k_{i\beta }{\varsigma }_i^{r_{i\beta }}$ is equivalent to computing the exponent in the discrete logarithm problem (DLP) $g^x$.

$$\begin{gathered} \mathrm{P}\mathrm{r}[\left(pk,sk\right)\leftarrow cspdlp.KeypairGen\left(·\right);{\varsigma }_i^{r_i}\leftarrow {}_{R}G;r_i\leftarrow \mathcal{A}\left(G,{\varsigma }_i,{\varsigma }_i^{r_i}\right)\mathrm{s}.\mathrm{t}.C^{*}={\sum }_{i=1}^l{k}_{i\beta }{\varsigma }_i^{r_{i\beta }}] \\ =\mathrm{Pr}\left[\left(\mathbb{G},g\right)\leftarrow \mathrm{D}\mathrm{L}\mathrm{P}\mathrm{G}\mathrm{e}\mathrm{n}\left(\mathcal{K}\right);u\leftarrow {}_R\mathbb{G};x\leftarrow \mathcal{A}\left(\mathbb{G},g,h\right)\mathrm{s}.\mathrm{t}.g^x=u\right] \end{gathered}$$

(14)

If adversary $\mathcal{A}$ mounts an attack on this scheme with a non-negligible advantage $ϵ\left(\mathcal{K}\right)$, then they could employ the same advantage to attack the DLP assumption. Since the DLP is computationally difficult, this scheme is considered IND-CPA-secure against PPT adversaries.

2.3. Secret Sharing Scheme Constructed by Span Program

In this section, we utilize the secret sharing scheme constructed by the span program [29] to devise a secret splitting scheme for authorizing participating vehicles in the vehicular ad hoc network (VANET). The aim is to achieve the partitioning of authorization sets and authorization subsets within the VANET. The specific details are as follows.

Definition 8. 

(Span program): Let  $\mathbb{Z}$ be a finite field, and $\mathbb{M}$ be a matrix constructed over $\mathbb{Z}$. Let $\{x_1,\dots ,x_n\}$ be a set of Boolean variables. $\theta$ is a row labeling function for matrix $\mathbb{M}$, where $\theta \left(i\right)=x_i or \overline{x_i}$, indicating that the $i$-th row of $\mathbb{M}$ is labeled with $x_i or \overline{x_i}$. The labeled matrix over $\mathbb{Z}$ is denoted as $\widehat{\mathbb{M}}(\mathbb{M},\theta )$, representing a span program. Given a Boolean function $f$ with input $\varphi \in \{\mathrm{0,1}{\}}^n$, using input $\varphi$ and the row labels $\theta \left(i\right)$, a submatrix ${\mathbb{M}}_{\varphi }$ of $\mathbb{M}$ is constructed. The rule for constructing ${\mathbb{M}}_{\varphi }$ is to include rows labeled as $x_i$ if ${\varphi }_i=1$, or $\overline{x_i}$ if ${\varphi }_i=0$. If all linear combinations of rows in ${\mathbb{M}}_{\varphi }$ result in the vector $\overrightarrow{1}$, it is denoted as $\overrightarrow{1}\subseteq span\left({\mathbb{M}}_{\varphi }\right)$. The span program $\widehat{\mathbb{M}}$ accepts input $\varphi$. If $\widehat{\mathbb{M}}$ accepts $\varphi$, then $f\left(\varphi \right)=1$. If the row labels only include $x_i$, then the span program is monotonic.

The secret splitting scheme constructed using a monotonic span program is as follows: Assume the secret is $s$, and there are $n$ participants. Let $B\subseteq \{P_1,\dots ,P_n\}$ be a set, and ${\varphi }_B\in \{\mathrm{0,1}{\}}^n$ be the characteristic vector of the set $B$. If $P_i\in B$, then the $i$-th bit of ${\mathsf{\varphi }}_{\mathrm{B}}$ is 1; otherwise, it is 0. $\mathbb{A}$ is the access structure that satisfies the secret splitting scheme. First, define a function $f_{\mathbb{A}}:\{\mathrm{0,1}{\}}^n\to \{\mathrm{0,1}\}$. If $\mathrm{B}\in \mathbb{A}$ is an authorized set, then $f_{\mathbb{A}}\left({\varphi }_B\right)=1$. Let $\widehat{\mathbb{M}}$ have $l$ columns and randomly select a vector $\overrightarrow{r}=(r_1,\dots ,r_l{)}^T$ from ${\mathbb{Z}}^l$, such that ${\displaystyle {\sum }_{i=1}^l}{r}_i=s$. Compute the vector $\overrightarrow{s}=\mathbb{M}·\overrightarrow{r}$, and label each row of $\mathbb{M}·\overrightarrow{r}$ according to the row labels of $\widehat{\mathbb{M}}$. Assign the value labeled as $x_i$ to the corresponding participant $P_i$ as their secret share. We achieve the partitioning of authorized and unauthorized sets on $\mathbb{M}$, as described in [30].

The process of secret recovery is as follows: Let $\mathrm{B}\in \mathbb{A}$ be the authorized subset, where $\left|\mathrm{B}\right|=d$. If $f_{\mathbb{A}}\left({\mathsf{\varphi }}_{\mathrm{B}}\right)=1$, then $\overrightarrow{1}\subseteq \mathrm{s}\mathrm{p}\mathrm{a}\mathrm{n}\left({\mathbb{M}}_{{\mathsf{\varphi }}_{\mathrm{B}}}\right)$, implying the existence of constants ${\mathsf{\alpha }}_1,{\mathsf{\alpha }}_2,\dots ,{\mathsf{\alpha }}_d$, such that ${\displaystyle {\sum }_{i=1}^d}{\alpha }_i\overrightarrow{{\mathbb{M}}_i}=\overrightarrow{1}$, where the vector $\overrightarrow{{\mathbb{M}}_{\mathrm{i}}}$ is extracted from $\mathbb{M}$ as the $i$-th row corresponding to participant $P_i$ in the set $\mathrm{G}$. The $d$ participants in set $\mathrm{G}$ provide secret shares $\overrightarrow{{\mathbb{M}}_1}·\overrightarrow{r},\dots ,\overrightarrow{{\mathbb{M}}_d}·\overrightarrow{r}$ for computation:

$$\sum _{i=1}^d{\alpha }_i\left(\overrightarrow{{\mathbb{M}}_i}·\overrightarrow{r}\right)=\overrightarrow{r}\left(\sum _{i=1}^d{\alpha }_i\overrightarrow{{\mathbb{M}}_i}\right)=\overrightarrow{r}·\overrightarrow{1}=s$$

(15)

The details of the initialization algorithm, secret sharing algorithm and secret recovery algorithm of span program are presented in Algorithms 1–3.

Algorithm 1. M.SETUP [30]

Input: $n$ participants denoted as $P_1,\dots ,P_n$ Output: access structure $\mathbb{A},$ publicly disclose matrix $\mathbb{M}$   1: Consider $n$ participants denoted as $P_1,\dots ,P_n$. Establish an access structure $\mathbb{A}$ and construct and publicly disclose matrix $\mathbb{M}$.

Algorithm 2. M.SHARE [30]

Input: secret $s$ Output: secret vector $\overrightarrow{s}$   1: $r_1,\dots ,r_l\leftarrow {}_R{\mathbb{Z}}_p,{\displaystyle {\sum }_{i=1}^l}{r}_i=s,\overrightarrow{r}=(r_1,\dots ,r_l{)}^T.$   2: Compute $\overrightarrow{s}=\mathbb{M}·\overrightarrow{r}$, and send shares to participant $P_i$ as $P_i\leftarrow \overrightarrow{{\mathbb{M}}_i}·\overrightarrow{r}$.

Algorithm 3. M.RECONSTRUST [30]

Input: authorized subset $B$ Output: secret $s$   1: $B=\left\{P_1,\dots ,P_d\right\}\in \mathbb{A},\left( \overrightarrow{{\mathbb{M}}_1}·\overrightarrow{r},\dots ,\overrightarrow{{\mathbb{M}}_d}·\overrightarrow{r}\right) \leftarrow P_1,\dots ,P_d$   2: Calculate and output based on constants ${\alpha }_1,{\alpha }_2,\dots ,{\alpha }_d$.             $s={\displaystyle \sum _{i=1}^d}{\alpha }_i\left(\overrightarrow{{\mathbb{M}}_i}·\overrightarrow{r}\right)$

• Security Analysis

Let the secret be $s$, and a random vector $\overrightarrow{r}$ is selected. The secret share is $\overrightarrow{s}=\mathbb{M}·\overrightarrow{r}$. Suppose set $Q$ is an unauthorized set, holding secret shares $\overrightarrow{s_Q}={\mathbb{M}}_{{\varphi }_Q}·\overrightarrow{r}$. Then, all linear combinations of rows in ${\mathbb{M}}_{{\varphi }_Q}$ cannot form the vector $\overrightarrow{1}$, i.e., $\overrightarrow{1}⊈span\left({\mathbb{M}}_{{\varphi }_Q}\right)$. Therefore, the vector $\overrightarrow{1}$ is independent of all row vectors in ${\mathbb{M}}_{{\varphi }_Q}$, implying ${\mathbb{M}}_{{\varphi }_Q}·\overrightarrow{1}=\overrightarrow{0}$. Consequently, there exists a vector $\overrightarrow{r^{\prime }}$ related to vector $\overrightarrow{1}$, such that $\overrightarrow{1}·\overrightarrow{r^{\prime }}\ne \overrightarrow{0}$, and ${\mathbb{M}}_{{\varphi }_Q}·\overrightarrow{r^{\prime }}=\overrightarrow{0}$. For any $\mathsf{\alpha }\in \mathbb{Z}$, let $\overrightarrow{R}=\overrightarrow{r}+\mathsf{\alpha }·\overrightarrow{r^{\prime }}$, then we have:

$${\mathbb{M}}_{{\varphi }_Q}·\overrightarrow{R}={\mathbb{M}}_{{\varphi }_Q}·\left(\overrightarrow{r}+\mathsf{\alpha }·\overrightarrow{r^{\prime }}\right)={\mathbb{M}}_{{\varphi }_Q}·\overrightarrow{r}+\mathsf{\alpha }\left({\mathbb{M}}_{{\varphi }_Q}·\overrightarrow{r^{\prime }}\right)={\mathbb{M}}_{{\varphi }_Q}·\overrightarrow{r}=\overrightarrow{s_Q}$$

(16)

$$\overrightarrow{1}·\overrightarrow{R}=\overrightarrow{1}·\left(\overrightarrow{r}+\mathsf{\alpha }·\overrightarrow{r^{\prime }}\right)=\overrightarrow{1}·\overrightarrow{r}+\mathsf{\alpha }·\overrightarrow{r^{\prime }}=s+\left(\mathsf{\alpha }·\overrightarrow{r^{\prime }}\right)$$

(17)

From Formulas $\left(16\right)$ and $\left(17\right)$, we obtain ${\mathbb{M}}_{{\varphi }_Q}·\overrightarrow{R}=\overrightarrow{s_Q}$ and $\overrightarrow{1}·\overrightarrow{R}=s+(\mathsf{\alpha }·\overrightarrow{r^{\prime }})$, indicating that the secret share $\overrightarrow{s_Q}$ held by set $Q$ is also a secret share of $s+(\mathsf{\alpha }·\overrightarrow{r^{\prime }})$. Due to the randomness of $\mathsf{\alpha }$, the secret corresponding to the secret share is also random. Therefore, one secret share corresponds to multiple secrets, which are statistically indistinguishable.

3. System Model

In this section, building upon the foundation laid in Section 2.2, we extend the asymmetric homomorphic encryption algorithm based on the CSP and DLP. We expand this algorithm to support multiparty homomorphic encryption, enabling multiple participants to collaboratively engage in computations. Subsequently, we employ a secret splitting scheme to partition authorized and unauthorized sets. After private key recovery, we utilize multiparty computation protocols to refresh the public–private keys and the secrets held by participating entities, thereby ensuring the security of each computation.

3.1. The Implementation Scheme of Multiparty Homomorphic Encryption

Initially, $n$ vehicle participants collaborate to generate security parameters $\mathcal{K}$ and the field ${\mathbb{Z}}_p$. A participant $P_i$ then invokes $\mathrm{C}\mathrm{S}\mathrm{P}\mathrm{G}\mathrm{e}\mathrm{n}\left(\mathcal{K}\right)$ and $\mathrm{D}\mathrm{L}\mathrm{P}\mathrm{G}\mathrm{e}\mathrm{n}\left(\mathcal{K}\right)$ to generate groups $G$ and $\mathbb{G}$, respectively. Subsequently, using $cspdlp.KeypairGen(G,\mathbb{G},g)$, $e_1,e_2,\dots ,e_l$ public values, $E_1,E_2,\dots ,E_l$ matrices, and the public matrix $H$ are generated. Additionally, each participant $P_i$ computes their secret $s_i$. $P_i$ then computes ${\varsigma }_1=H^{s_i}{E}_1{H}^{-s_i},\dots ,{\varsigma }_l=H^{s_i}{E}_l{H}^{-s_i}$. After $n$ rounds of communication, collectively, they generate ${\varsigma }_1=H^s{E}_1{H}^{-s},\dots ,{\varsigma }_l=H^s{E}_l{H}^{-s}$, where $s=s_1+s_2+\cdots +s_n$. Finally, the public key is $pk=\{e_1,\dots ,e_l,{\varsigma }_1,\dots ,{\varsigma }_l,H\}$, and the private key is $sk=\left\{s\right\}$. Each participant holds their respective secret $s_i$.

The $n$ vehicle participants utilize the span program $\widehat{\mathbb{M}}$ to share the secret $s_i$. By employing the matrix $\mathbb{M}$, they partition the authorized set. Participant $P_i$ computes the secret vector $\overrightarrow{s_i}$ and sends the corresponding shares to other participants $P_j$. Subsequently, each vehicle can encrypt plaintext using the public key and perform homomorphic operations on the ciphertext. Finally, the vehicles in the authorized set reconstruct the secret $s$ to obtain the correct computation result after decryption. The details of the initialization algorithm, encryption algorithm and decryption algorithm of the multiparty homomorphic encryption algorithm are presented in Algorithms 4–6.

Algorithm 4. MHE.SETUP

Input: $n$ participants denoted as $P_1,\dots ,P_n$ Output: $pk=\left\{e_1,\dots ,e_l,{\varsigma }_1,\dots ,{\varsigma }_l,H\right\},sk=\left\{s\right\}$   1: $P_1,\dots ,P_n$ negotiate and generate the common parameters: $\mathcal{K},{\mathbb{Z}}_p$. $P_i$ runs $\mathrm{C}\mathrm{S}\mathrm{P}\mathrm{G}\mathrm{e}\mathrm{n}\left(\mathcal{K}\right)$ and $\mathrm{D}\mathrm{L}\mathrm{P}\mathrm{G}\mathrm{e}\mathrm{n}\left(\mathcal{K}\right)$ to generate groups $G$ and $\mathbb{G}$. $P_i$ executes $cspdlp.KeypairGen\left(G,\mathbb{G},g\right)$ to generate $e_1,e_2,\dots ,e_l$ public values, $E_1,E_2,\dots ,E_l$ matrices, the public matrix $H$, and secret $s_i$.   2: After $n$ rounds of communication, ${\varsigma }_1=H^s{E}_1{H}^{-s},\dots ,{\varsigma }_l=H^s{E}_l{H}^{-s}$ are generated, where ${\displaystyle {\sum }_{i=1}^n}{s}_i=s,s_1,\dots ,s_n\leftarrow {}_R{\mathbb{Z}}_p,$ and each $P_i\leftarrow s_i$. Finally, $pk=\left\{e_1,\dots ,e_l,{\varsigma }_1,\dots ,{\varsigma }_l,H\right\},sk=\left\{s\right\}.$   3: Run M.SETUP, each $P_i$ run M.SHARE($s_i$).

Algorithm 5. MHE. ENCRYPT

Input: plaintext $m$, $pk=\left\{e_1,\dots ,e_l,{\varsigma }_1,\dots ,{\varsigma }_l,H\right\}$ Output: ciphertext $C$   1: Generate and output the ciphertext $C\leftarrow Enc\left(pk,m\right).$ (Formula (8))

Algorithm 6. MHE.DECRYPT

Input: ciphertext $C$, authorized subset $\mathrm{B}$ Output: plaintext $m$   1: Run M.RECONSTRUST($\mathrm{B}$) to obtain the private key $sk=\left\{s\right\}$.   2: Compute $H^s$ and then output $m\leftarrow Dec(H^s,C)$.

The sequence diagram in Figure 3 depicts a three-party multiparty homomorphic encryption protocol, where Participants 1 and 3 form the authorized decryption set. Initially, all participants engage in the MHE.SETTUP to negotiate shared algorithmic parameters and securely generate individual secret shares, followed by collaborative computation of a collective public key. Homomorphic operations are then executed on the ciphertexts in the encrypted domain, maintaining data confidentiality throughout the process. To recover the plaintext, Participants 1 and 3 collaboratively reconstruct Participant 2’s secret share via the span program. Participant 1 combines its own secret with the reconstructed share to calculate the partial decryption of the ciphertext and transmits it to Participant 3, who also performs the same operation. The partially decrypted results are exchanged between the two authorized parties, who then apply their respective secret computations to derive the final plaintext, ensuring that only the authorized set can reconstruct the sensitive data.

After completing the initial round of computations, since the private key $sk$ has been exposed after decryption, it is necessary to refresh the public–private keys. The key refreshing process is illustrated in Algorithm 7.

Algorithm 7. MHE.KEYSWITCH

Input: new secret shares $s_1^{\prime },\dots ,s_n^{\prime }\leftarrow {\mathbb{Z}}_{p }$ Output: $\forall j\in l:{\varsigma }_j=H^{s^{\prime }}{E}_j{H}^{-s^{\prime }}$   1: Each participant $P_1,\dots ,P_n$ individually generates new secret shares $s_1^{\prime },\dots ,s_n^{\prime }\leftarrow {\mathbb{Z}}_{p },s^{\prime }={\displaystyle {\sum }_{i=1}^n}{s}_i^{\prime }.$ Additionally, compute $H^{s_1^{\prime }-s_1},\dots ,H^{s_n^{\prime }-s_n}$.   2: $P_1,\dots ,P_n$ collectively compute on the public key, as follows: $\forall j\in l:{(H}^{s_n^{\prime }-s_n})\cdots {(H}^{s_1^{\prime }-s_1})$ ${\varsigma }_j$ ${(H}^{s_1-s_1^{\prime }})\cdots {(H}^{s_n-s_n^{\prime }}),$ resulting in ${\varsigma }_j=H^{s^{\prime }}{E}_j{H}^{-s^{\prime }}.$

Figure 4 shows the sequence diagram of the three-party key refreshing algorithm. Participants collaborate to execute the key refreshing algorithm to update the public and private keys while maintaining security and confidentiality.

3.2. Multiparty Homomorphic Encryption Algorithm Security Analysis

In the IoV, the transmission of information is susceptible to attacks due to its open environment. Hence, it is imperative to ascertain whether the security of the proposed model is guaranteed during transmission. Moreover, the multiparty homomorphic encryption scheme publicly exposes the matrix $H$, with the secret $s$ serving as the private key. Therefore, further analysis of the security of this scheme is necessary. The discrete logarithm problem implies that, given the public key, adversaries cannot decipher the private key. However, this does not suffice to establish the IND-CPA security of the scheme. Hence, a stronger assumption is required.

Theorem 2. 

Under the DDH assumption, the multiparty homomorphic encryption scheme based on the CSP and DLP is IND-CPA-secure.

Suppose a probabilistic polynomial time (PPT) adversary $\mathcal{A}$ attacks the IND-CPA security of the multiparty homomorphic encryption scheme based on the CSP and DLP. This implies that adversary $\mathcal{A}$ inputs plaintexts $M_0$ and $M_1$, obtains ciphertext $M_{\beta }$, and outputs a guess ${\beta }^{\prime }$. If ${\beta }^{\prime }=\beta$, then $\mathcal{A}$ succeeds, denoted by $Succ$.

We now utilize adversary $\mathcal{A}$’s attack on the multiparty homomorphic encryption scheme to construct adversary $\mathcal{B}$’s attack on the DDH assumption. According to the DDH assumption, elements are sampled from the matrix group $\mathrm{G}$ to form quadruples $D=(H,H^x,H^y,H^{xy})$ and $R=(H,H^x,H^y,H^z)$, where $H$ is the generator of group $G$. The adversary $\mathcal{B}$’s input is $T=(H_1,H_2,H_3,H_4)$. The construction of $\mathcal{B}$ is as follows:

$$\begin{gathered} \mathcal{B}\left(T\right):\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} \\ pk=\left\{e_1,\dots ,e_l,H_4{E}_1{H}_4^{-1},\dots ,H_4{E}_l{H}_4^{-1},H_2\right\}; \\ \left(M_0,M_1\right)⟵\mathcal{A}\left(pk\right); \\ \beta {\leftarrow }_R\left\{\mathrm{0,1}\right\}; \\ C=cspdlp.Enc\left(pk,M_{\beta }\right); \\ { \beta }^{\prime }⟵\mathcal{A}\left(pk,C\right); \\ if {\beta }^{\prime }=\beta ,return 1,otherwise return 0. \end{gathered}$$

(18)

If the output is 1, then $\mathcal{B}$ guesses that the quadruple $T$ is the quadruple $D$. If the output is 0, then $\mathcal{B}$ guesses that the quadruple $T$ is the random quadruple $R$.

Assertion 1. 

$\mathcal{B}$’s simulation executed for $\mathcal{A}$ is correct and complete.

When  $T=D$,  $H_4=H^{xy}={(H}_2{)}^y$, where  $y$  is randomly chosen. For  $\mathcal{A}$, this scenario is equivalent to the public key used in the multiparty homomorphic encryption scheme. Due to the difficulty of the discrete logarithm problem (DLP),  $y$  cannot be directly computed. When  $T=R$, based on the conjugate search problem (CSP), it is computationally difficult to directly compute the matrix  $H_4$. Consequently, it is not feasible to verify whether  $H_4$  is independent of  $H_2$. Therefore, adversary  $\mathcal{A}$  cannot distinguish whether the game is constructed by the simulator. Assertion 1 is thus established.

Proof of Theorem 2. 

When $T=D$, $H_4=H^{xy}={(H}_2{)}^y$, where $y$ is randomly chosen. For adversary $\mathcal{A}$, the public keys and distribution of ciphertexts is identical to that in the execution of the multiparty homomorphic encryption scheme based on the CSP and DLP. Therefore, the probability of success for $\mathcal{A}$ is equal to the probability of $\mathcal{B}$ outputting 1, i.e., $\mathrm{Pr}\left[\mathcal{B}\left(T\right)=1|D\right]=\mathrm{P}\mathrm{r}\left[Succ\right]$. When $T=R$, $H_4$ is a randomly sampled element from the group and is independent of $H_2$. For adversary $\mathcal{A}$, based on the definition of the CSP, it is computationally difficult to determine $H_4$ solely knowing $E_i$. Hence, $\mathcal{A}$ has no information about $M_{\beta }$ and can only guess $\beta$ with a probability of $1/2$. Therefore, $\mathrm{Pr}\left[\mathcal{B}\left(T\right)=1|R\right]=1/2$, $\mathrm{Pr}\left[\mathcal{B}\left(T\right)=0|R\right]=1/2$.

$$\mathrm{Pr}\left[\mathcal{B}\left(T\right)=1\right]=\mathrm{Pr}\left[D\right]\mathrm{Pr}\left[\mathcal{B}\left(T\right)=1|D\right]+\mathrm{Pr}\left[R\right]\mathrm{Pr}\left[\mathcal{B}\left(T\right)=1|R\right]={\displaystyle \frac{1}{2\mathrm{Pr}\left[Succ\right]}}+{\displaystyle \frac{1}{2}}·{\displaystyle \frac{1}{2}}$$

(19)

$$\mathrm{Pr}\left[\mathcal{B}\left(T\right)=0\right]=\mathrm{Pr}\left[D\right]\mathrm{Pr}\left[\mathcal{B}\left(T\right)=0|D\right]+\mathrm{Pr}\left[R\right]\mathrm{Pr}\left[\mathcal{B}\left(T\right)=0|R\right]={\displaystyle \frac{1}{2\left[1-\mathrm{Pr}\left[Succ\right]\right]}}+{\displaystyle \frac{1}{2}}·{\displaystyle \frac{1}{2}}$$

(20)

Since $\mathcal{B}\left(T\right)=0$ and $\mathcal{B}\left(\overline{T}\right)=1$ are equivalent events, the quantity $|\mathrm{Pr}\left[\mathcal{B}\left(T\right)=1\right]-\mathrm{Pr}\left[\mathcal{B}\left(T\right)=0\right]|$ aligns with the definition of advantage in Definition 3. Specifically, $\left|\mathrm{Pr}\left[\mathcal{B}\left(T\right)=1\right]-\mathrm{Pr}\left[\mathcal{B}\left(T\right)=0\right]\right|=|\mathrm{Pr}\left[Succ\right]-1/2|$, if adversary $\mathcal{A}$ attacks the multiparty homomorphic encryption scheme with a non-negligible advantage $ϵ\left(\mathcal{K}\right)$, then adversary $\mathcal{B}$ can use adversary $\mathcal{A}$ to attack the DDH hypothesis with the same advantage. □

3.3. System Security Analysis

Since the security analysis of the multiparty homomorphic encryption algorithm is based on the difficult assumption definitions of the CSP and DLP, and the security analysis of this algorithm has been provided in the previous section, it is only necessary to analyze from the perspective of the participants and prove that the data uploaded by each participant are secure for any participant. The proof method adopts the ideal/real model analysis method, considering that all the participants are semi-honest models and will complete the calculation goals according to the process of the scheme.

To prove that the rival participant cannot infer the information from the encrypted data, it is only necessary to prove that the encrypted values and random values received by the rival participant are computationally indistinguishable. Since the encrypted data are based on the security analysis of multiparty homomorphic encryption, the encrypted values are computationally indistinguishable to the rival participant.

The security of communication in the scheme has been guaranteed by multiparty homomorphic encryption security, so it is proven that only the rival participant needs to be modeled. To construct a simulator $S$, $S$ takes the rival participant as the ideal rival of the subroutine. In the real world, $S$ interacts with the rival participant as a normal participant. In addition, $S$ can perform the generation of real model encryption with a trusted third party (TTP). During the simulation process, the simulator $S$ acts as a semi-honest participant, and the process is described as follows:

(1)

The simulator $S$ generates real encrypted data by interacting with the TTP.

(2)

The simulator $S$ sends the results to the rival participant. There are two situations for this sending:

(1)

$S$ sends the real encrypted data $C_i$ to the rival participant.

(2)

$S$ selects a random number r to form plaintext data composed of random values and encrypts it with the same public key to obtain the encrypted data $C_S$.

During the simulation process, the view information obtained by the rival participant is as follows:

$${view}_{rival}=(C_1,\dots ,C_i,\dots ,C_n)$$

(21)

$$S_{rival}=(C_1,\dots ,C_S,\dots ,C_n)$$

(22)

In the real world, the messages received by the rival participant are obtained by the participants executing the actual scheme. However, in the ideal world, these messages are generated by the simulator $S$. Since the messages received by the rival participant in both the real world and the ideal world are ciphertexts obtained through public key encryption, based on the semantic security of the algorithm, ciphertexts $C_i$ and $C_S,$ are computationally indistinguishable. That is, $C_i{}^c\equiv C_S$. Therefore, in the scheme, the rival participant is unable to distinguish whether the message is sent by simulator $S$, and thus cannot distinguish between the ideal world and the real world. The views of both satisfy Definition 7 for rival participants.

During the ciphertext decryption stage, semi-honest users do not disclose the recovered part of the private key when restoring it. Instead, they decrypt the ciphertext in the same way as during the keyswitch stage. Different authorized users hold different parts of the private key, thus ensuring that authorized users do not decrypt the original data uploaded by other users.

The span program is similar to the threshold scheme based on linear secret sharing. If there is a certain number of malicious nodes in the vehicle, for the collusion attack of malicious nodes, the authorization set is divided based on the span program. If the malicious opponent does not reach the number of the authorization set, then the data cannot be decrypted.

4. Experimental Analysis

In this section, we will evaluate the proposed multiparty homomorphic encryption algorithm from various perspectives, including computational efficiency and communication overhead, and analyze its suitability for applications in vehicular networks.

Our experimental setup is illustrated in Figure 5, where vehicles are equipped with Nvidia Carmel ARM v8.2 64-bit CPUs with 8.0 GB RAM, and the server is configured with an 11th Gen Intel(R) Core(TM) i5-11400F CPU with 32.0 GB RAM and an Ubuntu 18 operating system.

In the experiment, we first compared the proposed multiparty homomorphic encryption scheme with mainstream homomorphic encryption schemes to analyze its suitability in vehicular networks by comparing encryption and decryption times, addition and multiplication times, and ciphertext size. The experimental setup of this study mirrors that of [20]. We utilized the publicly available Palisade homomorphic encryption library to run the following schemes: CKKS [31], BGV [32], BFV [33], and TFHE [34]. The security level of the mainstream schemes was set to 128, and the results are presented in

Table 1. Basic performance comparison.

Schemes/Us	Enc	Dec	Add	Mul	Size
CKKS	5.45 × 103	5.78 × 103	103.05	3.14 × 103	559 KB
BGV	4.22 × 103	0.84 × 103	134.12	2.96 × 103	669 KB
BFV	4.24 × 103	0.80 × 103	93.85	8.32 × 103	908 KB
TFHE	41.85	8.05	10.1 × 103	10.2 × 103	16 B
Ours	27.454	9.4	7.67	13.612	416 B

.

Although the proposed CSP scheme is theoretically grounded in matrix operations—potentially introducing higher computational complexity—its practical implementation demonstrates a significantly smaller security parameter $n$ compared to other schemes at equivalent security levels. In homomorphic encryption, the role of $n$ varies across paradigms: in BGV/BFV, $n$ defines the modulus-switching hierarchy by determining the polynomial ring dimension, where larger $n$ enhances security but escalates computational overhead. In CKKS/TFHE, $n$ acts as the polynomial basis degree, trading improved parallel performance for exponential growth in ciphertext size and memory consumption. In contrast, the CSP defines $n$ as the matrix dimension. As formally stated in Definition 1 and rigorously proven by Begelfor [28], the group factorization problem achieves super-polynomial complexity in classical models when $n\ge 4$, whereas mainstream schemes like BGV/BFV require $n\ge 1024$ to attain comparable security. This characteristic gives the CSP a significant advantage in parameter scale, and the experimental results will also be better.

From Table 1, it can be observed that the encryption and decryption speeds of our proposed scheme were much lower compared to the CKKS, BGV, and BFV schemes, but comparable to the TFHE scheme. In homomorphic addition operations, our scheme outperformed several schemes, including the faster BFV, by being approximately 10 times faster, with an average time of less than 10 µs. Regarding homomorphic multiplication operation, our scheme outperformed existing homomorphic encryption schemes by a significant margin. In the IoV, the computational capabilities of vehicle devices vary. To better adapt to vehicle computing devices, it is essential to have a homomorphic encryption algorithm with low encryption and decryption times, as well as low addition and multiplication computation overhead. Our proposed scheme demonstrated lower computational overhead across various aspects compared to other mainstream homomorphic encryption schemes.

Furthermore, in terms of ciphertext size, our scheme’s ciphertext size was much smaller than the other three schemes, being only larger than TFHE, but still less than 1 KB in size. Considering the inherent instability and dynamism of vehicular networks, the size of transmitted data must be kept small to avoid network congestion. Our scheme’s ciphertext size was relatively small compared to other schemes, making it more suitable for communication in vehicular networks.

As shown in

Table 2. Impact of data volume on communication load.

Schemes/Data Volume per Vehicle	200	400	600	800	1000
CKKS	0.5 GB	1.2 GB	1.4 GB	2.2 GB	2.9 GB
BGV	0.7 GB	1.3 GB	2.2 GB	3.1 GB	3.8 GB
BFV	1.1 GB	1.8 GB	3.3 GB	3.7 GB	4.9 GB
TFHE	19 KB	32 KB	58 KB	65 KB	80 KB
Ours	0.8 MB	1.5 MB	2.1 MB	2.8 MB	3.5 MB

, the communication load of the CSP scheme remained within the MB range, which is much smaller than that of other homomorphic encryption schemes. Although TFHE operates at the KB level, its computational load is large, so it has no advantage in the internet of vehicles scenario. Therefore, in the internet of vehicles environment, considering the computing load and communication load comprehensively, the CSP has more advantages.

The above content compared the basic modules of the multiparty homomorphic encryption scheme with mainstream homomorphic encryption schemes. In the following experiments, we compared it with the most efficient setting in the existing fastest scheme [13], and the results are shown in

Table 3. Access-structure multiparty homomorphic encryption comparison.

Ours	$\mathit{t}$	7	14	19
MHE.SETUP	Step1	3.78 ms	3.78 ms	3.78 ms
	Step2	0.056 ms	0.056 ms	0.056 ms
	Step3	2.45 ms	2.45 ms	2.45 ms
MHE.DECRYPT	Step1	0.522 ms	0.634 ms	0.783 ms
	Step2	0.0825 ms	0.0825 ms	0.0825 ms
Mouchet et al.	$\mathit{t}$	7	14	19
MHE.SETUP	Step1	0.5 ms	0.5 ms	0.5 ms
	Step2	10.4 ms	22.0 ms	30.4 ms
MHE.DECRYPT	Step1	<0.1 ms	<0.1 ms	<0.1 ms
	Step2	0.8 ms	0.8 ms	0.8 ms

. We set a total of $n=20$ vehicles, and the maximum number of authorized subsets was denoted by $t$. In the initialization phase of the multiparty homomorphic encryption algorithm, the overall time overhead was less than that of existing schemes, and it did not increase with the increase of $t$. In the multiparty decryption phase of the multiparty homomorphic encryption scheme, when the number of subsets $t$ was less than 15, the decryption speed was lower than that of existing schemes. For scenarios with vehicles having low computational capabilities in the IoV, our proposed scheme, due to its low computational overhead, can also perform well.

The practical utility of multiparty homomorphic encryption schemes was assessed by conducting experiments built upon the framework outlined in [21]. We ran federated learning code on the experimental equipment using a dataset provided by the Kaggle website, consisting of images of non-emergency and emergency vehicles. The experimental goal was to classify emergency and non-emergency vehicles. In the experiment, we compared whether the gradients were encrypted using the FedAvg algorithm [35] to test the effectiveness of the multiparty homomorphic encryption scheme in the internet of vehicles. The experimental results are shown in Figure 6. After 25 rounds of training, the accuracy of the test dataset remained at a high level. For federated learning with the same number of clients, using the multiparty homomorphic encryption scheme had little impact on the convergence of training.

5. Conclusions

To achieve secure computation among multiple vehicles in the IoV, we first proposed an asymmetric homomorphic encryption scheme based on the discrete logarithm and the conjugate search problems. Based on this asymmetric homomorphic encryption scheme, we developed a multiparty homomorphic encryption scheme, enabling secure computation among multiple parties. Our proposed multiparty homomorphic encryption scheme protected the privacy data transmitted in the IoV while ensuring the correct computation of encrypted data.

Comparing our proposed scheme with state-of-the-art solutions in terms of the efficiency of basic encryption algorithms and the efficiency of the multiparty homomorphic encryption scheme workflow, our approach demonstrated higher efficiency. Finally, through federated learning experiments in the IoV, we validated the practical applicability of our proposed scheme.